HOW TO KEEP YOUR SITE SECURE BEYOND WHAT YOUR HOST OFFERS

Security and business go hand in hand. If you had a brick and mortar location, you would lock the doors at night and install some security cameras, wouldn’t you? It would be considered foolish not to. Yet, when it comes to a website we don’t necessarily talk about security in the same obvious way. This may have to do with differing levels of understanding of what actually goes into protecting an e-commerce operation or informational site. Often, the response is “Oh, IT takes care of all that stuff.” And that is usually the case. But, it’s important for business owners to know how their sites can be better secured even if they aren’t actually performing the implementation of these practices themselves.

Cybersecurity is gaining more mainstream attention for many reasons, whether it be political discussions or the reality of an ever more interconnected world. While you may not be running a bank or some other kind of high profile business that you think would make you a target, the truth is small businesses are targeted with fair regularity. In fact, 43% of cyber attacks actually target small businesses. Additionally, 48% of data security breaches occur due to malicious actors rather than human error.

All of this is to say that it’s important to fortify your website within reason. While you shouldn’t be losing sleep at night over it (making sales and generating leads are far more pressing concerns) it’s good to take the right steps to bolster your security for some piece of mind.

Your hosting company does provide some security measures to protect your managed VPS or dedicated server, but the bulk of it is really up to the user. If you’re concerned that your business’ website isn’t protected enough, there are some steps you can take to make it more secure. Here is what you should know about protecting your website beyond what your hosting company provides.

You may notice that your managed VPS or dedicated server comes with a level of complementary DDOS protection. DDOS attacks, essentially an attempt to knock your website offline with a flood of artificial traffic, are a very common malicious event that affect many organizations every year. Your hosting company can’t guarantee protection from every kind of attack, but many of the major causes are covered. These include UDP floods, NTP amplification, DNS amplification, Syn flood, volume based attacks, and fragmented packet attacks.

However many other kinds of attacks are dealt with at the server level and rely on users following some best practices.

At the server level, your cPanel access does give you a measure of control over how your installation handles nearly every kind of security configuration you can think of. The company has actually put out an extensive list of recommended settings that you may opt to follow. It is a bit of a deep dive. Your individual use case may mean some of these recommended settings won’t work for you, but unless you have highly specialized reasoning for that, it’s a good checklist to stick to.

A few years back this may have seemed like going the extra mile, but every modern browser nearly shames you into using HTTPS and with good reason. Ever notice the pronounced green lettering and lock next to a URL in Chrome if the site uses HTTPS? Going to a site without this seal of security feels almost dangerous in 2017. Ever since Google made the switch to HTTPS for all search traffic, Blogspot, and Gmail, it’s become expected that your site uses this security protocol as well. While it’s especially important to invest in an SSL certificate (which will get you this HTTPS designation) if you have an e-commerce site because you’re handling sensitive credit card information, there’s really no reason not to invest in one no matter what kind of site you have. SSL certificates don’t cost much and they’ll pay for themselves with improved customer confidence and SEO value.

Best cPanel practices are good for securing your site in the backend as is making the switch to HTTPS. But that’s the server itself. What about what you’re actually putting on that VPS? The software that makes up the customer facing part of your site, such as a CMS if you choose to use one, has to be maintained as well. An outdated CMS is a major risk factor when it comes to having your site compromised. Most websites run a CMS of some kind, with the big names being WordPress (the most widely used), Joomla, and Drupal. These are open source technologies which mean their source code is public and ripe for exploiting.

This doesn’t mean you should avoid using a CMS. It certainly makes creating and updating your site a lot easier. But you must be diligent in running software updates, including updating whatever plugins or add-ons you’ve also installed to improve your site’s functionality.

You’ll want to do a little renaming to better throw off any hackers who want to go straight to the source. A CMS like WordPress often automatically creates a very simple URL for access. For example, try going to a site you know uses WordPress and adding /wp-admin to the end of the URL. If you get to the log in screen, you know that site owner didn’t take the extra step to secure their site and change the default login URL.

Additionally, change your folder names. There are scripts that can be deployed by malicious third parties to scan the directories on your server to look for folders labeled “admin” or something similar. By renaming your admin folders to something recognizable only to yourself and your team you can get an easy win here. By masking some obvious entry points, you can add an extra layer of security that isn’t too technical in nature.

You can install some software to monitor and protect your site as well. One popular choice is a web application firewall. A web application firewall is essentially a cloud-based firewall that you subscribe to to protect your site from hacking attacks. A web application firewall can inspect the traffic coming into your site, identify malicious requests to stop them, protect from spam, SQL injections, and brute force attacks.

You may also opt to use an entire security package. There are many companies that offer monitoring services, vulnerability analyzers, virus scans, and all sorts of bell and whistles. If you want to outsource your security, these services will do that for a price.

Spectrum Tech provides the servers and hosting environments you need to succeed. With 24/7 customer support, industry leading uptime, complementary DDOS protection, and a variety of hosting plans suitable for businesses of all sizes, Spectrum Tech aims to meet all of your business needs. Contact us today and speak with one of our team members about which managed VPS or dedicated server plan would make the most sense for your business. Let’s partner together to help you reach your goals.